The Wall Street Journal — BRUSSELS—Europe’s new privacy law took effect Friday, causing major U.S. news websites to suspend access across the region as data-protection regulators prepare to brandish their new enforcement powers.
Tronc Inc. , publisher of the Los Angeles Times, New York Daily News and other U.S. newspapers, was among those that blocked readers in the European Union from accessing sites, as they scrambled to comply with the sweeping regulation.
Other U.S. regional newspapers owned by Lee Enterprises Inc. , as well as bookmarking app Instapaper, owned by Pinterest. Inc., were also blocking access in the EU.
The EU’s General Data Protection Regulation foresees steep fines for companies that don’t comply with the new rules, aimed at giving Europe-based users more control over the data companies hold on them.
Businesses have raced to comply with the new law, but surveys indicate that a majority may not be ready.
Companies are unlikely to be blindsided with harsh penalties Friday, because the rules don’t apply retroactively—but some companies are deciding it is safer to suspend access in Europe rather than risk sanctions—which the EU’s top privacy regulator Thursday warned could come soon.
“I’m sure you won’t have to wait for a couple of months,” said Andrea Jelinek, about when the first fines could land. On Friday, Ms. Jelinek is expected to be voted in as the head of a new European Data Protection Board, which includes national data-protection regulators from each of the EU’s member countries.
As of Friday, firms that violate the EU’s privacy rules risk fines as high as 4% of their global revenue.
Companies will be required under the GDPR to report data breaches within several days. In addition, companies will often need to obtain users’ consent to process their personal information. Customers will have the right to see what data companies hold on them and can request for some to be deleted. Companies are responsible for showing they are complying with obligations.
Firms of all sizes have been racing to overhaul their systems in time for the deadline to show that the way they gather and handle information about Europeans follows the rules.
Speaking at a press briefing, Ms. Jelinek said companies should have had plenty of time to comply with the new law, given that the regulation was adopted in 2016. Lawmakers delayed the law’s implementation by two years to give the companies that time. “The situation isn’t new,” she said.
Aggressive potential penalties are likely to affect some business decisions. Large enterprises acquiring small startups that use personal data might decide against launching a service in Europe, out of concern that the startup could expose the parent to a fine based on the entire enterprise’s revenue.
“If I could choose between [launching a data-related business] in Paris and in New York…I’m going to at least advise the business people to do it in New York,” said David Hoffman, global privacy officer at Intel Corp.
GDPR arrives as Facebook Inc. is still struggling to contain the fallout from revelations that data-analytics firm Cambridge Analytica improperly obtained the personal information of as many as 87 million users of the social network.
Facebook CEO Mark Zuckerberg visited European Parliament on May 22 to answer questions about the scandal, which EU officials say only reconfirmed the need for the new privacy rules and helped promote the legislation to the broader public.
The EU’s national privacy regulators, who are each also in charge of tasks like authorizing firms’ data transfers abroad, are unlikely to have the bandwidth to crack down on large numbers of companies across different sectors. Tech companies that profit from users’ data are therefore likely to be prime targets, said EU Justice Commissioner Vera Jourova. The data-protection authority of Ireland has said it would prioritize cases where large numbers of users’ data is processed, which it considers higher-risk.
One still-unsettled question is exactly what data companies can collect. Companies are arguing that certain types of information are necessary to fulfill a contract with the user; meanwhile, activists are planning to challenge some large companies over that question.
Dale Sunderland, deputy commissioner at Ireland’s privacy regulator, said the agency was leading a group of data-protection authorities who are investigating that particular issue. He said he expects the EU’s privacy regulators to publish a paper on the topic in the fall.
“We believe that we collectively need to look into and address this matter to provide clarity for the use of contractual necessity for free online services,” Mr. Sunderland said.
On Thursday, Facebook’s Mr. Zuckerberg told a tech conference that his company has worked hard to comply with the GDPR, including by asking users to opt-in to see targeted ads on Facebook based on their use of other websites and apps.
“The vast majority of people choose to opt in,” Mr. Zuckerberg said, “because the reality is, if you’re going to see ads on a service, you want them to be relevant and good ads.”
Companies aren’t the only ones scrambling to get into shape with the new law. The European Commission, the bloc’s executive body, said eight countries including Belgium, Bulgaria and Hungary were late in implementing the necessary national legislation for GDPR. The commission can launch court proceedings against any member state that fails to implement EU legislation.
Regulatory agencies in other countries worry they are under-resourced for the workload expected to come down the pipeline, Ms. Jourova, the justice commissioner, said.
Asked about the issue of resources, the data-protection board’s Ms. Jelinek said, “We will try to do our best and we will act in a very professional way.”

One still-unsettled question is exactly what data companies can collect.

That's the crux, isn't it? If you can't define what data they can collect, you can hardly define what they can't. From this story, it all looks pretty vague. Given two years to develop the necessary regulations, you'd think they'd have it done by now.

The EU rules basically prohibit sites from harvesting any data that identifies you, not even an IPA, unless you opt in. Like any new legislation, like the ACA for instance, it is an imperfect instrument that must be fleshed out over time. But the overall intent of Europe's new rules is pretty clear.

It's the USA's regulations, or rather lack of them, propagated before the age of the smartphone with its ability to collect massive amounts of data on each user, that now look antiquated, undefined and likely to come back at your enterprise and bite its butt. Mark Zuckerberg can testify to that. And Cambridge Analytica. Most of all Hillary Clinton, the Woman-Who-But-For-The-WWW-Would-Be-President.

The EU regulators' alleged inability to 'have it done' after a mere 2 years should be contrasted with US Senators' shocking inability even to have their respective staffs frame intelligent questions about the Web after 25 years.

Agreed, that the U.S. badly needs effective ways to protect our privacy. But the inability of elected legislators to agree is not comparable with the inability of appointed and presumably expert regulators to regulate.

It's not a question of our lawmakers failing to agree on regulation but of their competence to legislate in this area. Surely there must had to have been one Senate staffer with intelligent questions for Mark Zuckerberg in advance of his testimony. So why didn't the senators ask those questions after hauling the man before a congressional committee to testify? With few exceptions, each senator grandstanded, then asked questions that covered herself with ignominy. Surprisingly, MZ was able to keep a straight face thru it all.

Unlike the US, the EU has moved beyond mere political posturing and enacted some Web-user protections, maybe imperfect, but in all fairness, doing something is better than standing pat given the current thunderheads in the Cloud.

As for demanding that an 'expert' produce clear, unambiguous rules writ from 'you know where' — the courts are open and available to any and all enterprises that find the new regulations unclear or ambiguous.